ChildWatch.iehttps://childwatch.ie
Cyber Safety CentreSat, 05 Jan 2019 18:43:00 +0000en-UShourly1https://wordpress.org/?v=5.0.2https://childwatch.ie/wp-content/uploads/2016/02/Drawing2.pngChildWatch.iehttps://childwatch.ie
3232Indian Tech-Support scammers as Child Pornographershttps://childwatch.ie/indian-tech-support-scammers-child-pornographers/
Tue, 14 Jun 2016 15:50:35 +0000http://childwatch.ie/?p=2333The scam most commonly referred to as the ‘Indian Tech Support’ scam is revealed to most people when they receive a call from a long overseas phone number and upon answering encounter a person with an Asian sub-continent accent purporting to be from Microsoft, or it may also be Eir, Vodafone, or any of the Read More ...

]]>The scam most commonly referred to as the ‘Indian Tech Support’ scam is revealed to most people when they receive a call from a long overseas phone number and upon answering encounter a person with an Asian sub-continent accent purporting to be from Microsoft, or it may also be Eir, Vodafone, or any of the tech providers that are out there. The caller will claim to be working on behalf of the company and claim that they have detected a virus or malware of some sort that is running on your computer and leaking your personal data out to scammers on the Internet.
Ironic, isn’t it?
A person succumbing to such a call will engage in something of a tech-speak dance and invited to download a piece of software that will allow the ‘support advisor’ to work remotely on the supposedly sickly computer. The unfortunate victim then assists in the scam by downloading and installing this software (usually a reputable solution used routinely in business tech support) and this process culminates in the scammer having remote access to the victims computer. They will download a batch file or an executable that will generate a command box and throw some fancy looking rubbish that the scammer will point to as major flaws that they will fix. They will also show the victim their event viewer and point out the myriad of red notices that are ten a penny in the system, application and other event logs. Finally this all culminates in the victim making a payment to the scammer.
A criminal (the scammer) getting access to the victims computer opens possibilities for not just stealing money. There can be an invasion of personal privacy through loss of data and photographs; invasion of other devices that may connected to the victims home or business networks; and the installation of an enduring shell program that resides on the victims computer and is digitally reachable when the victim connects to the Internet. These possibilities elevate the criminal to a different level of threat to victims and introduce the potential for all manner of damage that go far beyond a scam to get money.
We have encountered cases where these criminals have connected to people’s personal data on local, network and cloud drives such as iCloud, Dropbox and Google drive through the infected computer because the victim has enabled that remote control program that is designed for technicians on help desks to take control of a computer, diagnose a problem and fix it. A criminal with this type of access can, and do, reek havoc and seek to further damage the victim by threat of blackmail or simply circulating damaging information that they find in personal files. We have seen cases where social media profiles were deleted, altered or hijacked allowing the criminal to instigate and verify false online accounts through which they transact financially or further their criminal activities by targeting others in a victim’s private and professional network.
Cloud accounts are often administratively linked to mobile devices such as tablets, phones etc. If you log into your iCloud account for instance, you can access data being synced from your iPhone. You can attach a new iPhone to that iCloud account and if it is shared or accessed by other family members then there can be impact there too. If there are sensitive photos or other information including email; photos of very young children in the bath or playing on the beach with no clothes on; movies created in the family home setting that are never meant for public consumption; the prepubertal or younger teen girl in the bedroom or bathroom with friends getting ready for the birthday party and trying on each other’s clothes; anything in the free and frolicking world of children at play in a setting where they believe their privacy to be sacrosanct.
That common garden cyber criminal is now a very different prospect and the threat they pose is significantly elevated above that of the common garden scammer. They may encrypt precious memories and sell them back to the heartbroken and frightened victims.
In the world of online CAM (child abuse material), anything that is rare gets noticed and becomes valuable. There has been a trend of collecting private images of children taken from parents social media pages and exchanging them through privately held illegal photo collections or publicly accessible illegal web sites. However, the invasion of private personal movies and images never meant for sharing outside of the family, and particular if they are created by children themselves are pearls to paedophiles. If this were not distressing enough, the most polished pearl of all is the identity and location of the children, entirely enhanced by contact information such as the family home phone number and children’s individual mobile phone numbers, their social media profiles, and Snapchat identity for good measure.
The scenario being outlined in this blog post is NOT hypothetical. It is based on real world cases and events.
If a criminal gets remote access to a computer that has saved credentials in browsers or keychains; or contains very sensitive personal or business information including email and other messaging; very personal images (particularly of children); then such a data breach requires attention.
In cases where a break-in to an IT system occurs, the business will initiate a security protocol that isolates affected devices, investigates to discover what has occurred and if there are remaining threats, then takes action to protect the devices, network and data. The problem for the ordinary person at home who realises that this is occurring is that they will likely have no IT security unit within reach to isolate, investigate and secure a breach.
As a victim you will likely want to delete whatever programs have been installed by the scammers and spend time looking into the computer where the breach has occurred. However you are looking in the wrong place and all the while, damage is occurring elsewhere.
If such an incident has occurred in the past and you did not realise what it was at the time then whatever was taken by the scammers is long gone. If you are receiving such a call and have gone as far as downloading and installing the remote control software and through unease or suspicion then make a call to whichever company the scammers are impersonating, you will be told to DISCONNECT your router immediately. Once done then the criminals cannot access the devices inside your home. If you have smartphones then disconnect data access to isolate them also from the internet. DO NOT switch anything off or reboot any device since a lot of information about the breach and what the criminals have got up to are visible in memory that will be destroyed if you shut down your operating system.
NOW go to a neighbour and ask to use their computer and phone. IMMEDIATELY go to your cloud drives, email, social media and change your passwords. If you do not use 2 Factor Authentication such as Google Authenticator or options to receive codes through SMS for the likes of Twitter, Yahoo and Microsoft, then start using it right now.
Contact phone support for the cloud operators that you use for data (Apple, Google, Dropbox etc) and make them aware of what has occurred and ask them to secure your data which they will do by disabling internet access and retaining a data set of transactions that have occurred since the scam began. They will be able to see where attempts have been made to access, copy, destroy, or other activities against your data and will be able to retain that information for investigation by police.
Paypal, online banking and credit card operators: if your data is stored in browsers or keychain then you have to assume that it is compromised, and act accordingly by informing and allowing them to freeze your accounts until fresh credentials can be put together.
And now comes your biggest hurdle: reporting the incident to the police, and if applicable, your business. These are personal calls and only you as the victim will know potentially what has been compromised.
The biggest issue with police initially is whom you encounter at the desk. It is difficult to police something of which you have little experience and all too often, policemen and women will not have specialist knowledge in the field of IT security and not really understand what has occurred. For instance if an officer assumes the the main issue is the money scam then in all likelihood they will say that they have little jurisdiction over the scammers and the best thing to do is change your passwords and wipe your phone or computer.
DON’T WIPE YOUR DEVICE since all evidence of what has occurred will be destroyed to a greater or lesser degree depending on the method of deletion and overwrite.
If you have sensitive data or photographs and believe that they have been moved, shared or copied by someone other than you, and you have been the victim of the tech-support scam, then you must persuade the police of your concerns and demand if necessary that they investigate those concerns. Only the police will have access to your mobile provider or ISP, social media and cloud providers, and they are best placed to make such an investigation. However, computer crime is rampant and is a component of anything from fraud to prostitution, crimes against children, drugs cases etc etc etc……. Police have finite resources and your case will go on the list. But what they can do in the very short term is collect data sets and securely store devices for later forensic scrutiny.
There is no doubt that not every scammer gaining access to your computer or phone wants to remove your sensitive data or pictures, but there is equally no doubt that some do poke around when they get remote access, and equally there are some who are specifically looking sensitive or embarrassing information that can be used later for blackmail while you are being kept busy looking at the red icons and warnings in event logs. Your sensitive data is one thing, but sensitive or naked photos of your children is another. These photos are interesting to a certain audience and coupled with identifying and locating information are not good in the wrong hands.
It is important to keep this blog post in perspective, but be aware of its significance also. Don’t be unnecessarily paranoid but absolutely avoid being naive either. The bottom line is this: if anyone gains access to your digital devices and you keep sensitive data and photos, and in particular of your children, then seek advice and help as soon as possible.

]]>Parental oversight does not work to protect children online.https://childwatch.ie/parental-oversight-not-work-protect-children-online/
Fri, 13 May 2016 14:16:20 +0000http://childwatch.ie/?p=2248There are great studies carried out across the world from time to time attempting to understand what young people, children and teenagers, are doing online. This is of course a moving feast that alters with the oncoming of each new gadget or app’ that trends and dominates their lives for a while. A one year Read More ...

]]>There are great studies carried out across the world from time to time attempting to understand what young people, children and teenagers, are doing online. This is of course a moving feast that alters with the oncoming of each new gadget or app’ that trends and dominates their lives for a while.

A one year old child flipping through a magazine is attempting to scroll down the page with a two-finger swipe. The child gets upset because the page is unresponsive and reverts to a nearby iPad. The video entitled “A magazine is an iPad that doesn’t work” received over 5 million hits and generated considerable debate among viewers in 2011. What this immediately demonstrates is that people of all ages, both young and old, value a sense of depth and variety in digital media content that is capable of entertaining their intellectual capability.

The only real boundary to this technology going forward is the evolution of hardware, and the app’s that avail of it. Take the power of the latest iPad (Pro) for instance and the capability that it affords in terms of processing, audio and video, and split screens with multiple applications running side by side. App’s like Snapchat (as just one example) are designed to restrict the distribution of information and images meaning that young people attribute significant trust to the app’s capability and as a result, tend to take risks in the nature of the data that they are exchanging. The continuous upgrading of app’s to provide new functionality often means that the people using them don’t actually know what that functionality is capable of. For instance, in our talks to students we find that even though geo-location services are ten a penny in app’s, students are aghast to discover that there are applications out there that are designed to discover and track their social media posts where they have location services enabled.

It is estimated that over 36% of children under the age of one have touched some sort of screen. Children are not just following some trend among the adult population of technology users. They are adapting to technology as an everyday tool with amazing speed, and that is putting pressure on parents and guardians who are generally not keeping pace. Indeed a survey in 2014 discovered that as many as forty percent of parents were learning about computing from their children. The reason why this is of concern is oversight: how do you oversee a child, and in particular a teenager that knows more about technology that you (the parent) do. It is this very fact that is challenging relationships between children and their parents since the latter cannot comprehend what their offspring are doing online, let alone have any inclination to oversee it.

In 2011, a survey of parents of six to sixteen year olds found that up to ninety three percent of Irish parents mitigate in some fashion what their children are doing online, which is utterly astonishing given the gulf between parents and young people with regard to their online activities. I suppose one would need to understand just what the term ‘mitigate’ meant and the context of the question(s) that determined a positive or negative response. What the evidence really tells us is that the divergence of technical capability between children and adults means that parents are generally not capable of such mitigation and in our own research into online image abuse and sexting, and running talks and workshops for parents since 2008, we found that to be the case.

Parents of younger children need to instil good habits, and parents of all children need to ADOPT good habits. Many parents post hundreds of images of their children online with all manner of captions and identifying commentary meaning that should a child at some point in the future decide that their privacy is important to them, then they will have a job of work to do to ensure that their digital footprint having been created at a young age by their parents is challenging to manage.

Teenagers as we know have their own range of difficulties online. The news channel CNN ran a series of reports about thirteen year olds online and discovered the the heavier users among them checked into their social media account over one hundred times per day. Sixty one percent wanted to see if their posts were getting likes and twenty one percent wanted to ensure that no-one was giving them grief or negative comments. In short, teenagers are preoccupied with their online image and popularity and that makes them very easy targets for abuse and bullying online. To cap it off (comparing the 2011 Irish survey to CNN) they found the ninety four percents of parents surveyed completely underestimated the amount of online fighting that was occurring through social media.

The message is blatant and clear. Short of banning an awful lot of app’s and web sites – assuming that this were even remotely possible, and it isn’t – the notion of parental oversight in digital space is a myth that society, and in particular some of the ever expanding cadre of online safety experts, need to get past very quickly. One of the most basic truths of digital space and the internet is that it is difficult if not impossible to be entirely private online. Another huge truth is that parental oversight must work with pre-schoolers, at some level does work (with parental effort) with primary level children, and almost certainly doesn’t work with second level teenagers.

With all that in mind, the only reality that will work to protect children online is to design a realistic educational approach incorporating theory and practical demonstration that in the end shows the student what works, what doesn’t, and gives them the confidence to interact online with the knowledge that if they do not take account of what they are being taught, then it is their own responsibility if things go wrong.

And so the message of this post is: parental oversight does not work to protect children online.

]]>BOYD’s, networks and security in a school environmenthttps://childwatch.ie/boyds-networks-security-school-environment/
Fri, 22 Apr 2016 10:18:21 +0000http://childwatch.ie/?p=2229Following a recent conversation with a non-technical school’s principal about BOYD’s (bring your own device), networking options and security, she asked us to put some notes together and post them so that those with responsibility could better understand the issues involved. Hence we have put this blog post together. BOYD’s are a great idea, and Read More ...

]]>Following a recent conversation with a non-technical school’s principal about BOYD’s (bring your own device), networking options and security, she asked us to put some notes together and post them so that those with responsibility could better understand the issues involved. Hence we have put this blog post together.
BOYD’s are a great idea, and in particular with schools. The idea that the student can bring an iPad pre-loaded with books and materials needed for school is a massive improvement on the historic BC (before computers) act of growing and felling trees, printing books that eventually bend the spine of school going children. This drive toward BOYD’s in both business and education is only going one direction – forward – and those that decide for whatever reasons not to embrace it are simply going to be left behind in time.
But embracing BOYD’s in education is not just about getting iPads for students. There are a myriad of issues that need to be addressed and not least wireless infrastructure and security, each of which leads to a significant investment termed the TCO (Total Cost of Ownership) of such a solution, and the that can be a very hefty price in a multi-story school with lots of steel and concrete to contend with. To make a simple analogy: think about the average upstairs/downstairs home with the family wireless router alongside the telephone that is normally tucked away in a corner of a living room, or if you are better prepared or just lucky, in the hallway that may be more central. There is little doubt that the wireless reception is the rooms furthest from that router will have a much degraded performance as distance and building infrastructure increasingly become factors.
The other issue is digital management of the BOYD and the content that the student accesses on it, and by extension the potential for material other than educational content being introduced to the school’s wireless network. This is where the school has to contend with content management and network security including segregation of nets for students, teachers and administrative staff. At this point the ‘bucks’ element is probably emerging in the readers mind and rightly so because any attempt to do this on the cheap or cut corners on the networking infrastructure and security will leave a school exposed to a digital mess that will linger in the wings and eventually bite you when your system has become mission critical, and at that moment the cost of a solution and the implication of downtime while it is solved are a real mess.
So the solution is to get it right up front with the necessary expertise, solution and investment. That sounds a bit ideal in the perfect world but there is no doubt that the more complete the solution is before being rolled out, then the better for everyone. The good news is that many schools have already created such systems and are running them on a daily basis, and so there are templates in place that should give any school a good steer on how to design and implement such a system. One of the first considerations is to decide on what types of devices will run on the network, how they will connect, and what types of applications will be facilitated on them. Will phones and tablets be allowed? How about desktop computers? Is the school running any servers for centralised data access? Is the school allowing external access to their system for staff and parents?
Straight away the school has to consider a wired network, a wireless network, the devices that will run on it, the applications that will run on the devices, and the role of the user using that device, and the bandwidth allocation for individual users or roles. In a school with hundreds of students and staff, at peak usage times it is akin to a busy hotel or a medium sized business. However, the school has the distinct disadvantage that it is not generating business revenue and so has to be very careful in its capital outlay.
One issue that is very important to the school is alternatives to heavyweight mesh solutions that are all things to all people and come with a price tag to match. The TCO for one school after an initial outlay and a couple of years maintenance retainer exceeds €20k, and even for that there are deficiencies in what is running, and in particular in the area of security. In fact it is surprising the amount of instances where vendors offering all manner of applications and infrastructure solutions install and configure their wares in a manner that can leave the school open to all kinds of trouble, and often a non or quasi technical resource within the school that is not an IT specialist, or teacher with a background and comfort level in the area, is either completely unaware of such issues or has some knowledge but bends to the fiscal demands of a hard pressed administration that is trying to do the very best for its staff and students.
There are cost effective ways to do mesh if that is the road that a school is going but it invariably requires someone with a knowledge of configuring and managing/maintaining systems like Ubiquity as an example. Security is equally important and again requires someone with a knowledge of the issues and solutions to keep things running properly.
For instance the majority of schools using a popular online application that allows staff and parents to interact with personal data through the internet was for the most part configured with no SSL (Secure Sockets Layer) in place meaning that all data entered or retrieved, including usernames, passwords, and personal data was traveling between device and school data store in clear text without any encryption. Yikes! This is annoying to interested observers and people with a technical background visiting schools for safety talks etc because we know that installing a certificate (that we understand is freely available for schools from HEAnet) is not the biggest deal in the world. And yet these schools are threading water in a pool labelled data protection and are blessed that no-one has complained or made a query to the data controller, normally the principal.
Another instance found with some schools is the use of MAC (machine access control) address filtering as a sole security measure on a wireless network. The address itself is assigned to each digital device and used for identification in a network environment. However the idea of using this address as a security mechanism through which a particular device is allowed access to a network is flawed since it is possible to alter that address to match another device that has already connected to the network.
Another solution is to use captive portals (a web page that a new user on a network is presented with that requires a number or password that is usually circulated by staff to students or visitors connecting) but they suffer a similar issue to the example with the MAC address and can usually be circumvented very easily.
Both of the previous examples make for messy networking at one level, and a complete security failure at another. The premise in these cases is that the network administrator does not want to use a passphrase (WPA, WPA2 – hopefully NOT WEP – security) which can be a headache if large numbers of users forget the password and it is either simplified to the degree that it is useless, ubiquitous to the extent that it is the product code on the rear of every computer screen in the building, or complex to the degree that it is written on a post-it note that is found in the top drawer of each staff members desk, or school bag of each student in the school.
So the admin decides not to use a passphrase: what can possibly go wrong?
Straight away it is obvious that all data traveling on the network itself is passing in clear text except in cases where the web server to which the device is browsing is using HTTP (secure sockets layer) where all data exchanged is encrypted.
Next, it is difficult to stop an unauthorised user from connecting to the network.
And then comes another problem – since the school wireless network is OPEN (without security) then it potentially compromises each and every connecting device and its user to very simple and yet powerful security flaws that are outside of the school environment.
These are two actual scenarios that inadvertently arose during our live demonstrations that highlight issues around trusting technology and leaving WiFi switched on etc. Can I respectfully suggest that if you are responsible for a school network (network admin or principal) or are the owner of it (school board) then you really need to understand the point being put forward in the following real world examples.
Scenario #1: in a demonstration involving a few hundred students seated in a school gymnasium, it became apparent that staff members seated at the rear of the venue and marking up exam results to the school system had inadvertently connected to the demonstration network system. This occurred because functionality in the demo software detected their devices and the (open – no security – with MAC address filtering only) school network to which they were attached and implemented a very simple routine that resulted in them connecting seamlessly to the demo network and uploading their results to the school through it.
Scenario #2: the school switched off its WiFi router and students then were asked to check their wireless devices which at that moment were in their bags or pockets. On doing so they discovered that they were connected to the schools WiFi, even though the school’s actual WiFi was powered off. They had in fact connected to the demonstration network.
Any school not implementing WiFi security can suffer the consequences of scenario one above, and any user of that system can suffer the consequences of scenario two. Where a school were using the popular online solution mentioned earlier that does not implement SSL then not only could we see the marks being uploaded, but could very simply either alter them, or worse, completely take over the teachers connection to the school admin system and interact freely with any school application that they have access to.
And so we began this piece talking about BOYD’s and the possibility of using mesh or static WiFi solutions, the idea of using in-house educational knowledge as against consultants and solution providers, the total cost of ownership, the small matter of releasing personal data and credentials onto the internet without encryption, and some issues that can result in not implementing adequate security systems in schools networks.
To the very progressive education lady that challenged me to put my musings and meanderings in print, my promise is fulfilled.
pmk

]]>School as a Safer Internet Centrehttps://childwatch.ie/schools-as-digital-bobbies/
Sat, 19 Mar 2016 02:54:07 +0000http://childwatch.ie/?p=1492This document was first published in the Leader magazine prior to our workshop at the NAPD (National Association of Principals and Deputies) Annual Conference 2015 under the title "Schools as Digital Bobbies". It examines the expanding dependence on school admins and staff to receive and manage reports of online harassment, image misuse and even grooming, Read More ...

This document was first published in the Leader magazine prior to our workshop at the NAPD (National Association of Principals and Deputies) Annual Conference 2015 under the title "Schools as Digital Bobbies". It examines the expanding dependence on school admins and staff to receive and manage reports of online harassment, image misuse and even grooming, and the difficulties that such reports give rise to. A couple of lines have been added to the original document to clarify context.

Schools are not well placed to manage incidents that originate or perpetuate in cyber space. The issues are complex and resource intensive to investigative and can present challenges even for the Gardai. The state for many years thrust responsibility for managing bullying and other inter-student ills upon schools staff. In the digital age, that is no longer an option.

In May 2014, a government appointed advisory body examining internet content governance offered its report beginning with a statement of the financial worth and benefits of the digital industry to our society. It further referred to our ‘Internet Safety System’ as being robust and capable of responding to online harms, particularly of an illegal nature.

In 2011 an EU-wide survey of 9 to 16 year olds found that Ireland was the safest place in Europe for young people online with 93% of parents mitigating their children’s activities on the Internet. The findings are reflected in the Seventh Report of the Special Rapporteur on Child Protection, Dr. Geoffrey Shannon to the Oireachtas in 2014:

“This data demonstrates that while risks certainly exist online, Irish children experience less risk than their EU counterpart. Many of the figures for risky behaviour such as meeting people first met online, or posting explicit images of themselves online are quite low. While efforts should continue to be made to reduce these even further, the empirical data is quite encouraging as it shows that children, educators, and care givers are generally aware of the potential risks that exist online and act to avoid them or reduce their impact”.

In fairness to Dr. Shannon, his findings are based on the much lauded and publicised 2011 report. It is against that backdrop that lawmakers work to shape the needs of our society in the digital age. Young people interacting online leave a digital footprint that is the sum of all of their online activities. The nature of their individual footprint can be used by HR people to form an opinion that supports or otherwise the contents of a CV, and similar elements can bring a young person to the notice of people that would do them harm through harassment such as grooming, cyber-bullying and image misuse to highlight three common difficulties among that age group.

All forms of online harassment impact on the school environment. Affected students congregate and share information some of which is collectively harmful particularly since online innuendo and rumour are rife; truths, half-truths and lies combine to become greater ‘truths’ and small problems between young people that are manageable in the real world get completely out of hand, so fast that they are difficult to contain. Ordinarily the school is on the tail end of the process receiving a report from a parent or student when the flare up is matured and heated. Typically on the SARAH (shock, anger, resentment, acceptance and healing) scale, school staff are landed with the issue somewhere between shock and anger meaning that there is an awful long road to travel to solve the problem, whatever ‘solve’ looks like at the conclusion, assuming that there ever is one.

The tradition that bullying largely occurs in schools is no longer true. The school is a player, a piece of the jigsaw but absolutely not a source of investigation or remediation. And so it is reasonable to say that no school can be held responsible for determining the outcome of a cyber incident when at best it can only contribute to a solution in ways within its remit.

I meet many schools councellors and principals that want to refer incidents to An Garda Siochana who in turn have to establish that a crime has been committed to initiate an investigation from which court orders can be obtained to acquire the necessary information to prosecute. The law is not favourable to cyber harassment in its current form and requires sensible update make it easier for stakeholders to manage cases. I say, ’sensible’ because the wording of the law is one thing; resources to implement it are something completely different and for the most part, investigation of cyber crime is time consuming and resource intensive.

The one favourable factor about cyber bullying is that it is detectable and it is also possible to determine those involved, unlike instances of grooming and image misuse where victims are often unaware that they have been targeted.

What of students exploring relationships where one is consuming online pornography and is influenced by it?

The regulated pornography industry that existed in the era of VHS and DVD is completely overrun by what is termed user generated content where site users are sourcing or making their own material. This content is largely unregulated and often depicts teenagers making amateur porn either freely or under duress. It is of course no surprise that teenagers seeking this material for their personal entertainment are enacting what they see in the real world and that presents huge issues for those whom they encounter in relationships that are unprepared for such expectations.

Society must acknowledge online pornography and lay a grounding for students to understand that they have a choice; that the content is not reflective of mainstream relationships; that a person acquiescing with its consumers by extension acts the role of the porn star that very often suffers violence and denigration.

Grooming is a most horrendous crime against a child that is perpetrated in ways such that victims often never become aware that they have been targeted. It is personal engineering through means available in digital space to find, forge a path, influence, befriend, and where circumstance allow then sexually attack a victim through personal image, web cam, or physical encounter. Today we use terms such as ‘sextortion’ to describe sexually oriented blackmail. Financial and sex scams represent a primary threat to all young persons in addition to grooming and yet we have little structured education to prepare them to recognise such attacks.

Misuse of images on pornographic and image-sharing sites raise levels of stress for victims that have resulted in loss of life, self-harm, and present long term psychological challenges that are seldom resolved. The nature of the imagery varies depending on the source: images copied from social media, candids taken without the knowledge of the victim, partial or fully nude images shared for private use only, images involving a sexual act.

Our study named Digital Fish reveals evidence of victims as young as eleven having their images copied from their social media pages to web sites where they are displayed and commented upon for the pleasure of users. In many cases such commentary comes from persons that exhibit a blatant sexual interest in minors which is a concern since 80 of the (then - April 2015) 220 victims identified by us are easily identifiable because the uploading user has supplied the victim’s forename and surname initial; some victims are living in rural settings with few or a single school making tracing virtually certain; some of these victims appending geo-tagging data to photos and social media posts render tracing completely certain.

Those victims may only represent from ten to twenty percent of all those affected that are out there. Instances of snaps depicting partial nudity of minors; revenge porn incidents; online abuse perpetrated against school’s staff; are all factors in digital space that have enabled abusers of children and adults alike to reach an adoring and unforgiving audience.

Victims may endure ridicule, bullying, online and physical sexual harassment and grooming, and can remain generally uninformed and unaware of their situation because the result of informing victims or parents is unpredictable and very often destructive.

From the moment of upload a risk exists, and this continues until a crime is committed at which time An Garda Siochana bring their expertise to the table, or the victim simply matures without incident. This means that we do nothing but wait and see if a risk elevates to a crime and that may be an appalling life changing event for a victim.

A very old saying: security through obscurity is no security at all meaning that hiding the front door key in the garden flower patch is obscurity, not security. That analogy applies well in the area of online protection of children.

But what of the victim that is aware and upset at the presence of their images on these sites; where do they go for assistance; who do they call?

Tusla seems overwhelmed by its existing workload and a non-nude image upload doesn’t supersede an actual abuse case. The Gardai can only investigate a confirmed crime meaning that the image would have to be in contravention of the Child Trafficking and Pornography Act and a ‘WezzGear’ image doesn’t apply.

In conclusion our ‘Internet Safety System’ is not robust and is incapable of responding to online harms that are not of an illegal nature. Schools are places of education and the online safety and reputation syllabus needs overhaul to benefit both staff and students.

Most of all it is without any foundation or logic that a school’s principal or guidance councillor should be presented with a situation where they are responsible for investigating or otherwise ensuring the safety of a student online. Such an officer of the school has little resources to call on for support and Ireland’s EU funded ‘Safer Internet Centre’ doesn’t actually exist. In fact a school’s principal may only have recourse to contact the local duty social worker or community Garda for support.